Has anyone managed to get public key authentication working with Aruba Controller and OpenSSH? I saw the KB article and after mouthing "WTF? Seriously?" I managed to get OpenSSH's ssh-keygen to convert a RSA public key to a PEM. Sadly the controller is rejecting it as if it's not really a PEM or whatever internal reason it doesn't want to cough up.
I'm not interested in generating a CA and shouldn't have to. In my case it would weaken security as I myself have avoided running a proper CA setup. This is SSH not SSL. I guess I'm too busy being shocked that this thing doesn't support OpenSSH pub keys out of the box and it looks like PuTTY mainline lacks X509 support. Also I guess I can't have multiple SSH keys for user as in one for each client machine?
Has anyone figured out interop with OpenSSH yet?
Here is what worked for me in the past:
1. Generate a client cert using openssl.
2. Upload the client cert (without private key) to the controller as Certificate type = Public Cert Management -> Certificates -> Upload
3. Enable SSH authentication using client public key on the controller Management -> General
4. Add a management user (to use SSH public key) Management -> Administration -> Add User
On a linux machine:
5. Copy the client certificate private key to the user’s directory ~/.ssh/ folder6. Change its owner to the user and its access permissions to 600.7. Optionally rename it to id_rsa8. if not renamed, run the following command: “ssh -i ~/.ssh/<private key> <username>@<controller IP address>” // username should match user created on controller9. You may get prompted for the private key passcode if set, and once entered you will get the controller prompt.
Let me know how it goes.
Thanks but that is pretty much the same as what is in the KB article and I frankly don't understand why any of it is necessary.
Is there no way to use the defacto standard OpenSSH public keys or even a PuTTY public key? I have existing keys that I want to use and I want to be able to use those keys with a wide range of devices. The Aruba controllers stand alone as the only thing I have access to that supports pubkey auth that doesn't directly handle these keys or offer a clear conversion path or tool (ala PuTTYgen).
I'm not even sure what certificate format it's expecting as I've used the OpenSSH ssh-keygen tool to generate a PEM but the controllers reject the resulting file with a non-helpful error.
Sorry if I come across as cranky but I'm honestly stupified at the process layed out in the KB article for something as simple as handling an SSH key...
Thanks for your help so far.
I recommend you not try to use this feature. The reason it is there is for smart card users (the US military CAC to be specific), and the feature is optimized for someone who already has a certificate and needs to get it to work with SSH. Trying to go the other direction is just asking for pain, as you've seen.
I'll enter an enhancement request for allowing entry of SSH pubkeys directly. That should not be too complex to support. I'm actually a little surprised that in 9 years and over 2000 enhancement requests filed, nobody has asked for this before.
Ah OK. That makes sense then. Thanks for the definitive answer.
And thank you for putting in the feature request.
Ok, I bashed on this for an hour and finally managed to get this working. Not sure if its still relevant to anyone, but this is how you convert your openssh certs to a format that Aruba likes.
First this is mostly tested on Macs, since that's what we run here, if you run windows or Linux, you're kinda on your own:
openssl req -x509 -key ~/<your ssh key folder>/<your private key> -days 1500 -newkey rsa:2048 -out ~/<your ssh key folder>/<your username>_pub.pem
That's it, now you need to do it for your backup controllers and then you can finally turn off your RADIUS or TACACS server to the controllers. I'd still recommend having username/password for the admin account just in case your keys get borked or your laptop dies.
Let me know if this works for anyone else!
This worked great for me also. One note. If you have a lot of private ssh keys on your host you might have to edit your .ssh/config to present just the correct key or you can not login with just a password.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.